Azure – Extend Azure to your on-premises with ARC

As announced at the Microsoft Ignite 2019 Conference (see you can now extend Azure Resource Manager (ARM) capabilities – including your Azure governance policies – to your on-premises servers with Azure ARC, as well as other cloud services.

By extending ARM outside of Azure, you will be able to see your servers on the Azure portal like any other Azure resources.

To start extending ARM and start using the ARM capabilities outside, logon to your Azure portal ( and search for Azure ARC


You will see 2 results:

  • Azure ARC
  • Machines – Azure ARC (which will list your registered ‘non Azure’ servers)

Select Azure ARC and start registering your servers; you can also register for the public preview for Kubernetes and other cloud services


For this post, I’m going to register my servers by using the Manage servers option


By hitting the Add or Create machine – Azure ARC buttons you will get to a blade to generate a PowerShell script for interactive/individual registration or you can use a scalable process for registering multiple servers at once.

NOTE you must create the resource group where you want to host your ARC servers before proceeding; there is no option to create the resource group

Interactive Script Onboarding

When selecting the interactive script option you have to fill few details like the operating system and/or proxy  service (if any)


The Region option defines where the server metadata will be stored; there is no customer data (aka data hosted on the server) being saved.

Once you have completed the script creation wizard, you can copy and save the provided code to be executed on the servers in interactive mode, or use the Download button to save the PowerShell script itself directly.

As you will notice, the code is first downloading a MSI package; the MSI package can be reused for the deployment at scale option (see below).

You can update little bit the code to define where to save the installation log file (installation.txt) and/or disable the logging.

As always when running PowerShell scripts on servers, it is recommended to use the Run As Administrator


When running the PowerShell script you will get prompted to logon to the device authentication page and enter the provide code

image  image  image  image

If the device authentication process successes, you will see the message

level=info msg=”Successfully Onboarded Resource to Azure” VM Id=<machine ID>


Then after few minutes, your registered server should be now listed within the Machine – Azure ARC


From there you can then manage this server using Azure ARM to apply RBAC and compliance policies


At Scale Onboarding

If you want to onboard a bunch of servers at once, it is preferable to use the Add machine at scale option

Doing so you need to create a Service Principal in Azure AD and then deploy the MSI package you have generated using the interactive script onboarding option or by using the below PowerShell command

For Windows OS: Invoke-WebRequest -Uri -OutFile AzureConnectedMachineAgent.msi

For Linux OS: wget -O ~/

These packages are also available for download directly from Microsoft download website:

Let’s create the Service Principal (I’m using Azure Cloud Shell for simplification purpose)

NOTE do not change the name of the service principal

$sp = New-AzADServicePrincipal -DisplayName “Arc-for-servers” -Role “Azure Connected Machine Onboarding”


Retrieve the service principal password

$credential = New-Object pscredential -ArgumentList “temp”, $sp.Secret



NOTE you will need to save it as you will not be able to get it later

NOTE the secret created is valid for 1 year; see below if you need to change it and/or set a different expiration period

The Service Principal created can be access from the App registration blade and then searching for Arc, then just go to the Certificates & secret blade

image  image

Now you can deploy the Azure ARC agent MSI package and then execute the PowerShell command to connect the agent to Azure ARC


& “$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe” connect –service-principal-id “{your spn appid}” –service-principal-secret “{your spn password}” –resource-group “{your resource group name}” –tenant-id “{your tenant id}” –location “{location where the server metadata will be saved}” –subscription-id “{your subscription id}”

Linux bash

azcmagent connect –service-principal-id “{your spn appid}” –service-principal-secret “{your spn password}” –resource-group “{your resource group name}” –tenant-id “{your tenant id}” –location “{location where the server metadata will be save}” –subscription-id “{your subscription id}”

If your server is not reporting and/or not showing as connected, you can check if the service Azure Hybrid Instance Metadata Service is running


Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.